[<prev] [next>] [day] [month] [year] [list]
Message-ID: <002801cd0d21$cb94a250$0100a8c0@ml>
Date: Wed, 28 Mar 2012 23:30:48 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: XSS and BF vulnerabilities in WordPress
Hello list!
There are many vulnerabilities in WordPress which still not fixed. So I want
to warn you about three holes, two of them already fixed and one exists even
in the last version of the engine. These are Cross-Site Scripting and Brute
Force vulnerabilities in WordPress.
-------------------------
Affected products:
-------------------------
To XSS vulnerable are WordPress 2.2.3 and previous versions.
To Brute Force vulnerable are WordPress 2.3 - 3.3.1 versions.
----------
Details:
----------
XSS (WASC-08):
In 2007 I've wrote about redirectors (http://websecurity.com.ua/1152/) in
WordPress (http://websecurity.com.ua/1179/), for which I've released patch
in MustLive Security Pack v.1.0.5 (http://websecurity.com.ua/1209/) (and
this patch also protects against XSS). At that time researchers which found
redirectors didn't checked them for XSS, so I did it by myself.
XSS attacks are possible via these redirectors (via data URI):
http://site/wp-login.php?redirect_to=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B&action=logout
http://site/wp-pass.php?_wp_http_referer=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B
At IIS web servers the redirect is going via Refresh header, and at other
web servers - via Location header. The developers fixed redirectors in WP
2.3 (and did it hiddenly, which was typical for them from 2007). So
Redirector and XSS attacks are possible only in previous versions.
Brute Force (WASC-11):
Besides BF via XML-RPC functionality, the passwords can be picked up also
via APP functionality.
http://site/wp-app.php
Since version WP 2.3 there is support of Atom Publishing Protocol in the
engine. There is no protection against BF attacks in this functionality
(Basic Authentication is used). APP functionality is turned off by default
since WordPress 2.6, like XML-RPC.
WP developers turned it off together with XML-RPC, i.e. not motivating it as
counteraction to Brute Force, but it worked also as protection against Brute
Force attack. So this issue doesn't concern those who uses WordPress since
version 2.6 with default settings. But those who needs to use APP, those
will have Brute Force vulnerability, because the developers didn't make
reliable protection against it.
------------
Timeline:
------------
2012.03.23 - disclosed at my site.
I mentioned about these vulnerabilities at my site
(http://websecurity.com.ua/5734/).
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists